IMF Blames State Actor for Hack

Over the weekend, I expressed some curiosity over who hacked the IMF. They at least say it was a state actor.

Security experts said the source seemed to be a “nation state” aiming to gain a “digital insider presence” on the network of the IMF, the inter-governmental group that oversees the global financial system and brings together 187 member countries.

Tom Kellermann, a cybersecurity expert who has worked for the IMF and was in charge of cyberintelligence in the World Bank’s treasury team, said the intrusion could have yielded a treasure trove of non-public economic data used by the IMF to promote exchange rate stability, support balanced international trade, and provide resources to remedy members’ balance-of-payments crises. “It was a targeted attack,” said Kellermann, who serves on the International Cyber Security Protection Alliance.

[snip]

An internal memo issued on 8 June from the IMF’s chief information officer, Jonathan Palmer, told staff that suspicious file transfers had been detected and that an investigation had shown a desktop computer “had been compromised and used to access some Fund systems”. Significantly, he said that he had “no reason to believe that any personal information was sought for fraud purposes”.

The article mentions alleged Chinese hacks in three other places, suggesting they may be trying to cast blame.

But now this has gotten me thinking. If you were to talk about a country establishing a “digital insider presence” on computer networks looking to collect sensitive financial data, you could be describing this alleged hacker or … the United States’ wiretappers. And that’s even before we threaten to wiretap the SWIFT database so we can take what SWIFT won’t just give us.

I’m not suggesting, mind you, that we’re the ones who hacked IMF. Presumably we can just go and get what we want. But given that we are taking financial information on foreign powers that flows across the telecommunications backbones that transit our country, what’s to distinguish our spying from other countries’ hacking?

image_print
  1. radiofreewill says:

    ‘It was a targeted attack.’

    They knew what they were looking for just like the hack on RSA for the encryption key.

    A good law enforcement detective should be able to figure out how to catch these thieves, even if they are ‘state’ actors.

    In the non-fiction cyber-security-thriller ‘The Cuckoo’s Egg,’ the feds created a totally bogus ‘Star Wars’ file knowing it would be irresistible to the hacker – which they then over-watched from a physically-mirrored site that the hacker never suspected – until he was busted at his PC while on-line hacking for the info.

    We’ve got the tools to identify whoever it is that’s doing this…

  2. earlofhuntingdon says:

    But the US is exceptional: it’s a good state actor, it’s just other state actors that are bad, especially when they won’t give us what we bloody well want.

  3. MadDog says:

    One of the things that has crossed my mind is the question of whether we’re seeing more corporate/big government hacks than in the past (i.e. the quantity of hacks is going up), or whether the recent publicization by the MSM of these corporate/big government hacks is a new wrinkle in the same old propaganda suit (i.e. sell the need for cyberwar by scaring the peons).

    Lest I miss an option, let me say that that I don’t neglect the possibility that it could be both.

    Regardless, one thing I am sure of is that the ramping up by the US government and its MIC allies for the need for there to be US Cyberwarriors is another endless money trough funded by us poor taxpayer peons for the MIC pigs to wallow in.

    And like almost every instance since WWII, I am sure that the overwhelming majority of the billions funding this new US Cyberwarrior trough will be wallowed wastefully away with almost nothing of consequence to show for the effort. Nothing but emptier wallets in rube pockets and a Constitution no longer than a Post-it® Note.

  4. Deep Harm says:

    Whether or not a “nation state” is responsible for the hack, administration officials undoubtedly are happy to have the public believe that, thus to soften outrage over the administration’s pretext for establishing internet kill switch capability. As described in the article, Back from the Dead: The Internet “Kill Switch” by Tom Burghardt (May 31st, 2011), the Obama administration believes it needs no Congressional authority to do that. And, with regard to the IMF hack, this part of the article stands out:

    In an essential paper published last month, Loving the Cyber Bomb?, George Mason University researchers Jerry Brito and Tate Watkins wrote that despite a “steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats,” the rhetoric of “‘cyber doom’ employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public.”

    “As a result,” Brito and Watkins averred, “the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War.”

  5. lysias says:

    At the same time that we’re expected to regard this kind of attack as so awful, there are semiofficial leaks that the Stuxnet attack on Iranian computers was the result of joint work of the U.S. and Israeli governments.

    By the way, if the U.S. and/or Israel were capable of the Stuxnet attack, would they not also have been capable of this cyberattack on the IMF?

    Remember, NSA’s technical intelligence capabilities have long been regarded as one of the U.S.’s chief military assets. They weren’t hesitant about bugging diplomats at the UN in the runup to the Iraq war.

  6. orionATL says:

    it was the irish, almost certainly.

    and very timely for erin, eh?

    rumor has they’ve been intensively training the little green buggers in hacker tactics so leprechaun ore searches become more fruitful.

  7. AitchD says:

    Of course it’s the US spooks. The objective is to pass along the info to Wikileaks via a trusted cutout, and the goal is to lay proof crumbs to convict Assange.

    Prior to these revelations, I had bet that it was Colonel Mustard in the conservatory with the lead pipe.

  8. SirLurksAlot says:

    I find it hard to believe that the NSA, DIA and The Company et. al. are not already safely inside of every major NGO network. They’ve got an army of crypto-geeks and petaflops of computing power, and Microsoft and the other OS guys wrote them all a stealthy back door in accordance with the Patriot Act…

    • readerOfTeaLeaves says:

      That’s one view of things.
      I live within spitting distance of Borg Central, and am more inclined to the view that MS outsourced so much code that you could probably drive a freight train through portions of the OS and no one would ever know. This view does not make me fashionable with several of my neighbors, but oh, well…

  9. HelenaHandbasket says:

    As I recall, the Bushleaguers in the WH were wiretapping other countries’ diplomats in the UN prior to the conquest and occupation of Messotopia.

    What goes around comes around.

    We are an exceptional people.

  10. JohnLopresti says:

    As part of the original post seems to say, the lede appears credible. However, I also agree the making of one workstation in the Imf network into a mole is an interesting detail, if accurate. I tend toward thinking of at least two rudimentary frames of reference in the latter regard. To me, more than the imF is in the offing for snoop shoppers, given the similar agencies and regional parallels globally. There is the oecd; there is a development bank for Africa; the network of foreign aid intermediaries likely could be envisioned as a fairly fully meshed network, although each would have its private reserve, too. The reasonable hypotheses might be numerous; a hackor might begin by wanting some insider feedback on how far up to float the yuan. Yet, the targets might be multiple southern europe economies, as commenters suggest; I picture German bankers laughing. The premier of Italy also might feel sufficiently diversified and fortified that he could share the joke perceived by germany financiers.

    Another immediate image the post engendered, for me was a standard Geneva world telecom conference poster of the telco topologies of the globe. Besides landline coper, fiber, and now wireless species, there are the international consortia owned space platforms various sorts of specialized orbits; I do not know if they are still doing little Leo and *big* Leo (somewhat cute acronym that, low earth orbit); there are also stationary platforms in far earth orbit, less subject to the gravitational demise of the Leo design; for example, an Egypt movie production house might upload to a satellite serving arab speaking countries pretty far away in southern central asia; or the French space agency may launch a communications satellite owned by some northwest African arab country. I guess I am saying there are numerous physical paths of approaching networks. I have been thinking a lot about germany and france, especially, with respect to the arab spring peoples media infrastructure. Before global dereg, most of the internationally leading vendors of telco switch gear were pretty much state owned entities from Europe, and the indirectly government sanctioned monopoly telco in the US at the time. For several decades I know of, Canada marketed a plain old switch that was, in some analysts* view, less robust than what the US Bell entity was selling to foreign governments, adhering to the tech euphemisms of the day here. For people who understand, I think the current newsitem well could be a promising harbinger of some interesting forensics. As an afterthought, mostly, I had been wondering what IT expertise, as well as robotics tech, the new chief at DoD may be transporting. From another imagined perspective, suppose some resource rich nations are interested in mapping extraction strategies to fit the next fifteen year plan, and global business deals based upon data purloined from imF profiles of firstworld countries. Then again, I would wonder if the imF keeps deliberately misleading files in hackable memory, so once stolen the behavior they engender would be telltale.

    • marksb says:

      The thing with teleco switches is that everything changed over the last decade as we went almost entirely to industry-standard packet data, using a hodge-podge of private and public networks. Which is, as we’ve all been discussing, totally accessible with the right talent and equipment. And changing laws.

      • orionATL says:

        so, diverse data exchange “codecs” (in some larger sense) are protective.

        could it be that gov’s desire to snoop easily, as in telecomm negotiations and the patriot act, have made us more vulnerable both to the nsa/fbi AND to the irish?

  11. wendydavis says:

    But ‘evidence’ that hackers were sophisticated enough to arguably be backed by a nation state…can result in ‘military action’ now, no?

  12. readerOfTeaLeaves says:

    I landed on an item just up at NYT and popped over to EW’s to leave a link about how personal financial data was hacked via the browser: “Thieves Found Citigroup Site an Easy Entry“:

    Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May…

    …In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

    Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar.

    Jesus Christ on a cracker…

    • xyno says:

      Wait … so once you were authenticated for one account, you were authenticated for any account?

      That’s an astonishingly basic fuckup in design.

    • emptywheel says:

      Yeah, I’ve been meaning to post on Pat Leahy’s new data privacy bill (well, actually, he has pushed it before to no success). It aims to penalize cos that don’t offer basic security. But not enough to get the cos attention, IMO.

  13. JohnJ says:

    I’m having trouble with this whole “must be a state entity” crap. Even Stuxnet is do-able by a single “hacker”. Unless you need physical access, any reasonable programmer with the information could do this shit.

    Using Stuxnet as an example:

    Access to code is easy.
    The company that laid me off last week (yes I am among the unemployed now) builds most of the servers for Cisco in China. For a short time I was working in failure analysis for these servers and had 100% access to their code as it was left on the failed servers. (I had absolutely no reason to do this and would not!)

    The nature of software;
    it is simply a whole bunch of bits that the hardware understands. There is nothing magical about those bits, they are not volatile on a hard drive and copying them does not change them in any way. The hardware when operating could do that if programmed to, but the hardware has to be up and running to monitor it.

    Decoding;
    that source code you see is a human readable abstraction, it still all compiles to bytes for the hardware to run. If it is run on standard hardware (microprocessors) you can disassemble it. Even if run on non-standard hardware, the information still has to be out there for someone to write the software.

    Software Protection;
    any form of software protection still has to have a single point that says yes or no (duh, it’s still binary) and since the software is changeable (it runs in volatile memory and therefor must be copied from a non-volatile format to the volatile memory to run*) you just change that one decision point in RAM to always yes. Better protection schemes have multiple decision points, but they are each still binary and still run one at a time, so you fix one then run until you get to the next one, etc., etc..

    Blowing up the machine;
    the actual machine controllers are even easier, since the code is many orders of magnitude simpler than this incredibly inflated code our PC’s and servers run. Even the fastest mechanical machines run in slow motion to a microprocessor.

    (As a side note; all that damage could have been prevented by making the machine controller’s code only changeable locally, but a whole lot of Engineers would have to leave their air-conditioned cubicles and go to each controller when the base operating code needs to be updated, which should be very seldom.)

    Yeah but:
    all that being said, motivation is everything in the case of Stuxnet, but the code could have been done by any one of a million people.

    Note:
    I’ve oversimplified a lot of this since, even I have designed my own processors that run code that nobody but I know (learning VHDL for other hardware geeks out there), but doing this (designing your own processor) would be an incredible waste of resources for a mechanical machine controller’s relatively simple operation.

    Whew!! longest post ever for me. Way too much time on my hands.

    *that will change in the future as non-volatile ROM (read only memory) catches up in speed to RAM. For the time being, RAM is the only thing that can keep up with the speed of a modern processor. Besides; changing and updating your code would then be a physical thing, not do-able from that nice cubical.